DarkSide: A platform for cyber crime

easyDNS is pleased to sponsor Jesse Hirsh‘s “Future Fibre / Future Tools” segments of his new email list, Metaviews

Ransomeware as a service and affiliate based organized crime



A good measure of a society is not just how it treats its most vulnerable, but also how it responds in a crisis. When there is little faith or trust in institutions, people are more prone to panic and focus on their perceived self-interest.

Witness the response to a ransomware induced gas shortage:

Significant stupidity aside, this episode was both an exercise in fragile psychology, as well as a demonstration of how vulnerable our infrastructure is to cyber attack.

In this case, ironically, the attackers did not want to inflict actual damage or harm, they just wanted to get paid.

Yet what makes this story even more fascinating, is the organization, or rather platform that made this successful attack possible.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives [sic],” reads an update to the DarkSide Leaks blog. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

First surfacing on Russian language hacking forums in August 2020, DarkSide is a ransomware-as-a-service platform that vetted cybercriminals can use to infect companies with ransomware and carry out negotiations and payments with victims. DarkSide says it targets only big companies, and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector and non-profits.

Like other ransomware platforms, DarkSide adheres to the current badguy best practice of double extortion, which involves demanding separate sums for both a digital key needed to unlock any files and servers, and a separate ransom in exchange for a promise to destroy any data stolen from the victim.

At its launch, DarkSide sought to woo affiliates from competing ransomware programs by advertising a victim data leak site that gets “stable visits and media coverage,” as well as the ability to publish victim data by stages.

For those of you who may not be familiar with the computer criminal economy, it is remarkably sophisticated, in many respects, mirrors it’s legitimate equivalent.

Talented programmers are sought after, recruited, and offered perks and supports to do their work. Creating markets for stolen data, credentials, and exploits. Yet in this case, also creating platforms to successfully attack and extort targets.

Consider this a new kind of organized crime that is both less organized than traditional criminal syndicates in that identities are often anonymous or pseudonymous, and yet more organized due to the way they employ online systems and platforms.

Researchers had seen these dynamics for decades as part of malware and other software markets. However this software as a service model is relatively new.

In late March, DarkSide introduced a “call service” innovation that was integrated into the affiliate’s management panel, which enabled the affiliates to arrange calls pressuring victims into paying ransoms directly from the management panel.

In mid-April the ransomware program announced new capability for affiliates to launch distributed denial-of-service (DDoS) attacks against targets whenever added pressure is needed during ransom negotiations.

DarkSide also has advertised a willingness to sell information about upcoming victims before their stolen information is published on the DarkSide victim shaming blog, so that enterprising investment scammers can short the company’s stock in advance of the news.

These are smart and well thought out scams, although that doesn’t seem like the right word. Campaigns and strategies seems more appropriate.

Like other hacks or cybersecurity incidents that have made headlines of late, there is often the air of foreign state based intelligence agencies, or at least vague associations.

Explicit links are not there, but strategic overlap certainly is.

In addition to Brian Krebs, the smart folks at FireEye have also published an analysis of how this group operates, and the kinds of activities they’re believed to be engaged in.

Since initially surfacing in August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. Like many of their peers, these actors conduct multifaceted extortion where data is both exfiltrated and encrypted in place, allowing them to demand payment for unlocking and the non-release of stolen data to exert more pressure on victims.

The origins of these incidents are not monolithic. DARKSIDE ransomware operates as a ransomware-as-a-service (RaaS) wherein profit is shared between its owners and partners, or affiliates, who provide access to organizations and deploy the ransomware. Mandiant currently tracks multiple threat clusters that have deployed this ransomware, which is consistent with multiple affiliates using DARKSIDE. These clusters demonstrated varying levels of technical sophistication throughout intrusions. While the threat actors commonly relied on commercially available and legitimate tools to facilitate various stages of their operations, at least one of the threat clusters also employed a now patched zero-day vulnerability.

This shared affiliate model is interesting, not just because it offers a model of computer based organized crime, but a talent recruitment, management, and incentivization process.

If anything it is a kind of silicon valley approach to organized crime, albeit with slavic influences.

DARKSIDE RaaS affiliates are required to pass an interview after which they are provided access to an administration panel (Figure 2). Within this panel, affiliates can perform various actions such as creating a ransomware build, specifying content for the DARKSIDE blog, managing victims, and contacting support. Mandiant has identified at least five Russian-speaking actors who may currently, or have previously, been DARKSIDE affiliates. Relevant advertisements associated with a portion of these threat actors have been aimed at finding either initial access providers or actors capable of deploying ransomware on accesses already obtained.

This provides a potent combination of distributed actors using a centralized resource that offers the latest tactics and methods for infiltration and extortion.

Also worth remembering that most successful ransomware attacks are not reported publicly. In this case the hack of the pipeline resulted in sensational news, but the reality is that most victims would prefer to remain anonymous.

Given what we’re learning about this platform, it is clearly enabling a scale and effectiveness that most targets and people underestimate.

Although I think we’re all kind of guilty of underestimating just how much herd psychology combined with stupidity can get us:

Leave a Reply

Your email address will not be published. Required fields are marked *